New DB2 Flaws Could Prove Troublesome
Security experts have discovered two new vulnerabilities in IBM's DB2 database software, both of which allow an attacker to gain root privileges on vulnerable servers.Security experts have discovered two new vulnerabilities in IBMs DB2 database software, both of which allow an attacker to gain root privileges on vulnerable servers. The weaknesses are potentially quite dangerous, considering that DB2 is one of the most popular enterprise databases, especially for e-business applications. However, the flaws can only be exploited by local users, so the risk is mitigated somewhat. The vulnerabilities lie in two binaries that ship by default with DB2: db2licm and db2dart. The former is the license management tool for the database and is used by administrators to install license keys and set license policies. The latter is a consistency and error-checking tool that can be used to identify and mark incorrect data.
Both flaws are stack-based buffer overruns and can be triggered by sending long command-line arguments to the vulnerable binaries. Once a local user executes the attack, he would have root privileges on the machine, giving him the ability to run any code he chooses.